North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: large organization nameservers sending icmp packets to dns servers.

  • From: Joe Abley
  • Date: Tue Aug 07 15:25:37 2007


On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:

On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:

All things being equal (which they're usually not) you could use the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...

Then most are incredibly stupid.

Those are impressively harsh words.

But they are hard to argue with.

In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems.

Since we are talking about authorities here, one can control the size of ones responses.

"Never reply with anything big and hence never set TC" seems like a reasonable, expedient way to circumvent the problem of wholesale 53/ tcp-blocking stupidity. It doesn't make the behaviour any less stupid, though.

The "security" argument looks even more bizarre when you consider what the DO bit in a request will do in general to the size of a response, in the case of an authority server which has signed zone data.


Joe